Canadian firms still struggle to answer, “Do you know if you’ve been breached?”

To correct a problem, you first have to admit you have one. Surprisingly, 39% of Canadian respondents to the Global Information Security Survey® 2010 did not know if their organizations had been breached. As well, they are 8% less likely to know if they’ve had an incident, compared to their global counterparts. And almost half (46%) can’t identify what type of security incident occurred.

This should be a wake up call for all CEOs, CIOs and CISOs, since a false sense of security is no security at all.

For the most part, Canadian respondents rated their information security performance as consistent with the rest of the world in this, the largest study of its kind. Despite the worst economic recession in many years, security budgets appear to be protected from cost cutting, project deferrals and other measures taken by companies to conserve resources.

Not surprisingly, Canadians reported that regulatory and internal policy compliance demands are driving their investments in information security. In the rest of the world, the primary driver of spending on information security is for business continuity and disaster recovery purposes. Globally, respondents to the survey feel the regulatory burden, including looming reporting requirements, is becoming increasingly complex and arduous.

Although Canada has a significant focus on overall data protection and regulatory compliance, Canadian organizations still appear cautious when considering investment in Data Leakage Prevention (DLP) tools. It may be that these tools are still seen as emerging technologies, and therefore respondents are deciding instead to invest in other means to control the passage of electronic assets throughout their businesses. Overall, 34% of Canadian organizations have a DLP tool in place, compared to 44% globally.

Hold on to your laptop. And secure it just in case

Another significant area of difference for Canada is the number of devices that are exploited or stolen as a result of security breaches. In Canada, the most popular information tool that is exploited or stolen is a laptop computer (91%). This compares to 71% for the rest of the world, indicating that Canadian companies need to be even more vigilant to ensure that their laptops are adequately protected should they be stolen.

And, what about emerging technologies?

Emerging technologies present a range of opportunities and risks to every business. While some organizations may choose to leverage the opportunities, many risks surface by virtue of connectivity via the Internet. Technologies—such as cloud computing—promise cost efficiencies, improved IT management and scalability. On the other hand, social media brings in a culture of collaboration, improved customer experience and targeted marketing.

Although Canadians report less use of cloud computing, they do outpace their global colleagues in the use of virtualization. Virtualization is viewed as a technology enabler that provides efficient solutions to common challenges. When asked why they would not embrace cloud computing, Canadians responded overwhelmingly that they are uncertain they could enforce their security policies at the service provider level. Canadian organizations appear to understand the benefits of emerging technologies and appear ready to embrace them. But at the same time, they are wary of the associated risks.

The survey results indicate that data has now become a critical asset for organizations. The range of information to protect is immense: it can be personally identifiable information about customers or employees, financial, credit card or operational data, information stored on-line, on paper or laptops, kept behind firewalls or exchanged openly on social networks. And while regulatory compliance is a key driver for Canadians, they also understand the importance of securing data assets to protect their business brand and reputation as a safe place to do business.

Are there differences by industry group? Of course

The financial services industry reports the highest degree of investment and coverage in information security. Healthcare reports a growing concern with addressing stiffer requirements for breach notification and specific information controls. Many countries are trying to address the security implications of electronic health records to ensure privacy and integrity. Public sector organizations are under greater pressure from politicians as breaches certainly impact their future role in government. Many countries are encouraging private/public partnerships for advancing cyber security. Utilities and telecommunication service providers report that breaches tend to focus on exploiting data, whereas in the past, their networks or facilities were the targets.

So, what is being done?

Survey results reveal that Canadian organizations are looking hardest at – and placing their highest expectations on – initiatives that:

Address the “big risks” first

Improve data protection

Invest in disciplined alignment with the security strategy

Increase efficiency and reduce cost

Many organizations are also considering adopting a recognized security framework as a means of preparing for an anticipated upcoming wave of regulatory requirements.

If the next year proves to be a trial by fire, taking a more focused, well-championed, strategy-led approach to information security will be enormously valuable. This will benefit Canadian organizations in limiting damages to assets and reputations and mitigating risks, as well as positioning themselves for stronger business performance in the years ahead.

This fact remains clear: Canadian organizations need to get a bigger and better picture on the security threats facing their business. Having a knowledge advantage will make it easier for many organizations to take a more effective risk-based approach to security investment over the coming year ? and by extension, realize a better return on investment for their business.

Salim Hasham, Vice President, leads PwC’s Security practice in the Greater Toronto Area and is a leader of the Identity and Access Management portfolio of services.

David Craig, Partner, is PwC Canada’s National Security practice leader, with a particular emphasis on Payment Card Industry (PCI) services.

1The Global State of Information Security 2010 is a worldwide security survey by PricewaterhouseCoopers, CIO magazine and CSO magazine. It was conducted online from April 22 to June 15, 2009. Readers of CIO and CSO magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,200 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 130 countries. Thirty-one percent (31%) of respondents were from North America (including 4.5% from Canada), 27% from Asia, 26% from Europe, 14% from South America, and 2% from the Middle East and South Africa. The margin of error is ±1%.